Cutwail drives spike in malicious HTML attachment spam

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Cutwail drives spike in malicious HTML attachment spam
Cutwailbackm86.png
Botnet Cutwail
Malware Cridex
Botnet/malware group
Exploit kits Phoenix
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / February 16th, 2012
Editor/Conference M86 Security Labs
Link http://labs.m86security.com/2012/02/cutwail-drives-spike-in-malicious-html-attachment-spam/ (Archive copy)
Author Rodel Mendrez
Type

Abstract

Over the past month, we have observed several large spam campaigns with malicious HTML attachments. We believe the botnet behind these campaigns is Cutwail. Here is data we collected, starting from the first day of 2012, illustrating spikes of spam with malicious HTML attachments:

Attaching an HTML file to an email is a tactic we have seen used in phishing. But recently, attackers have spammed out large volumes of HTML attachments that include malicious JavaScript. Here is an example we received a few days ago: In the image above, we opened message with the attached .HTM file using the Mozilla Thunderbird email client. Although Thunderbird rendered the HTML attachment, fortunately its default settings prevented the malicious JavaScript in the HTML source code from running. The Thunderbird user needs to click the attachment or open the HTML file in a browser for the JavaScript to run.

Bibtex

 @misc{Mendrez2012BFR901,
   editor = {M86 Security Labs},
   author = {Rodel Mendrez},
   title = {Cutwail drives spike in malicious HTML attachment spam},
   date = {16},
   month = Feb,
   year = {2012},
   howpublished = {\url{http://labs.m86security.com/2012/02/cutwail-drives-spike-in-malicious-html-attachment-spam/}},
 }